A little history.
Back in 2016, before CMMC was a thing, I started following the insertion of various cyber security clauses that were added to the FAR and the DFARS. The FAR clause required basic cyber hygiene. The DFARS went further and required compliance with a variety of NIST standards. Since that time companies have struggled to comply. The establishment of these clauses is what led to today’s CMMC certification process.
Even though companies have continued to struggle, the types and number of threats grow every day. So DOD decided to go a step further than contract clauses. They developed the CMMC certification which requires all of their contractors to achieve certification by a third party vendor. The third party vendor will conduct a site visit and determine if a company’s policy comply with the requirements. There is no self-certification option.
What about non-DOD contractors?
The requirements of FAR 52.204-21 are equivalent to CMMC Level 1 certification. This clause must be included in solicitations and contracts when the contractor or a subcontractor at any tier MAY have federal contract information residing in or transiting through its information system.
There are two important matters to consider when analyzing the FAR clause. Note that the standard is “may” and not “shall”. This is an important distinction. Essentially this means that if there is a possibility that federal contract information will reside or transit through its information system the clause must be included. Now we must consider the definition of federal contract information (FCI).
According to the CMMC Appendices V1.02_20200318, FCI is information that you or your company got doing work for the federal government that is not publicly shared. The full definition follows.
“Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public web sites) or simple transactional information, such as necessary to process payments.”
This publication includes a few examples of what constitutes FCI and suggestions on how to deal with very common situations most companies face.
You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done. Part of the proposal includes FCI. FCI is information that you or your company get from doing work for the Federal government. Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.
As you can see, CMMC related matters are going to pop up everywhere in the very near future. Currently, the GSA 8(a) STARS III solicitation contains a requirement that contractors indicate what activities they are taking to obtain CMMC certification. This information must include the level of certification that they will seek and the date by which they will obtain the certification.
The draft scorecard for CIO SP4 was also recently released. It includes a level 2 requirement for other than small business offerors.
Whether DOD has officially launched the certification process or not, it’s time to get ready.
I have partnered with Covenant Security Solutions to bring the necessary information that small businesses need to get started complying with CMMC and the FAR clause.